RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Banish Security Blunders with an Error-prevention Process : Page 4

Traditionally, application security is an afterthought—we build our apps and try to poke holes in them later. Why not take potential security breaches into account from the very beginning? The Automated Error Prevention Methodology provides a framework you can use to integrate security concerns into your app development right from the start.

Security Problem #3: Uncaught Runtime Exception Vulnerabilities
It is true that languages such as Java and .NET (managed C/C++) do not have a problem with buffer overflows. However, these languages suffer from a different problem that is just as serious: uncaught runtime exceptions. Typical checked exceptions provide a relatively easy way to transfer flow and keep a program running when exceptional situations occur. However, unchecked runtime exceptions— exceptions that are automatically thrown by the runtime system when a program violates the language syntax/semantics— are usually an indication of software bugs. They typically stem from problems related to arithmetic, pointers, and indexing, and can occur at any point in a program. If these exceptions surface in the field, the resulting unexpected flow transfer and potential thread termination could lead to instability, unexpected results, or even crashes or security breaches. For example, a very simple NullPointerException in login code could allow a hacker to completely bypass the login procedure.

Uncaught Runtime Exception Best Practice: Identify and remove uncaught runtime exceptions.

The only real way to prevent uncaught runtime exception security vulnerabilities is to identify all possible uncaught runtime exceptions early in the development lifecycle, then examine and modify the code to ensure that it does not provide any opportunities for hackers.

Implementing Uncaught Runtime Exception Best Practices
AEP's standard unit testing practice is designed to expose uncaught runtime exceptions. As you perform the recommended AEP white-box testing practice, you will exercise each code unit with a wide variety of permissible inputs and then identify the potential runtime exceptions that could occur with those inputs. We recommend that you respond to all identified uncaught runtime exceptions before you start working on other code. The appropriate response to take for each reported exception typically varies based on the nature of the exception. However, one general preventative measure for crucial security methods is to always add to the client code a try/catch to handle any possible exception.

The Key to Success
With security, prevention is the key to success. Using preventative strategies in concert with detection-focused strategies allows you to dramatically reduce the risk of suffering from the problem you are trying to avoid, and can save you considerable time, effort, and resources. AEP can help you ensure that code is written so that later code modifications and reuse will not make the software vulnerable to attack.

Dr. Adam Kolawa is the Chairman/CEO of Parasoft, which he cofounded with a group of fellow CalTech graduate students in 1987. Kolawa's years of experience with various software development processes has resulted in his unique insight into the high-tech industry and the ability to successfully identify technology trends. He can be reached at ak@parasoft.com.
Email AuthorEmail Author
Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date